705873 - [ObjShrink] "Assertion failure: (jsuint)keyval >= obj->getDenseArrayInitializedLength() || obj->getDenseArrayElement(keyval).isMagic(JS_ARRAY_HOLE),"

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

a = []
function f(o) {
    o[5] = {}
}
for (var i = 0; i < 20; i++) {
    with(a) f(a)
}

asserts js debug shell on JM changeset 5546f57c9567 with -m at Assertion failure: (jsuint)keyval >= obj->getDenseArrayInitializedLength() || obj->getDenseArrayElement(keyval).isMagic(JS_ARRAY_HOLE),

Doesn't seem to occur with m-c changeset bc48009a6bbb.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   80557:13b3669cad6c
user:        Brian Hackett
date:        Mon Nov 21 19:20:39 2011 -0500
summary:     Dense arrays should have numFixedSlots() == 0, regardless of size class. bug 704348

Comment 1

[Brian Hackett [Laid off!]]

Bogus assert.  It used to be that dense array inline paths tested the incoming object's class, and if that test passed but another failed then an array hole was being accessed.  Now the testing is done based on the object's shape, and dense arrays can have multiple shapes (though the arrays associated with a given parent will almost all have the same shape, except in weird circumstances like the 'with(a)' setting the object's DELEGATE flag.

https://hg.mozilla.org/projects/jaegermonkey/rev/c4832f2d9986

Comment 2

[Christian Holler (:decoder)]

A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug705873.js.